Risk and Opportunity Register - Master Sheet 


meee) ater Opportunity/risk description (opportunities 


shaded in blue) 

1 01/04/17 R4 Capacity and Capability: (Cause) Risk that 
increasing demand, public and stakeholder 
expectations, and/or additional unplanned 
work and/or reduced availability of staff 
results in (Threat) key resources being 
overstretched and having insufficient capacity 
to deliver all business plan requirements, 
(Impact) resulting in business operational 
issues and pinch points, possible failure to 
deliver regulatory priority activities and 
impacting upon the ICO’s ability to deliver all 
of its intended objectives and outcomes. 

2 30/04/19 R73 {Compliance culture: (Cause) Risk that as 
demand and capacity increase and/or changes, 
the ICO’s infrastructure and accountability 
culture is unable to (Threat) keep up with the 
pace of change to comply with legal and other 
obligations expected of a modern regulator 
(Impact) impacting upon its ability to maintain 
and increase public trust and be an effective 
and knowledgeable regulator. 


4 30/07/18 R46 |Financial Resilience: (Cause) Risk that 
sensitivities in the income growth forecast and 
new territories of expenditure create 
inaccurate financial forecasting and planning 
assumptions (Threat) leading to insufficient 
funding and financial stress (Impact) impeding 
the ICO’s ability to meet its statutory 
requirements, and full delivery of all of its 
intended IRSP goals and outcomes. 


Risk Appetite 
area 


Target Target Target 
Probability Overall 
Priority 
Infrastructure 
and resources 


Risk appetite} IRSP Goals 


Current Current | Current Strategic 
Probability | Impact | Overall 

priority 
ail 
al 


Organisational 
controls and 
compliance 


Regulatory 
enforcement 


i 


Infrastructure 
and resources 


i 
| 


Risk and Opportunity Register - Master Sheet 


Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current 
meee) ater shaded in blue) area — Probability Overall 
priority 

5 


5 06/04/20 R84 |Major Incident: (Cause) Risk that an internal or] Infrastructure Open All goals 
external major incident occurs (e.g. extreme and resources 
weather, fire incident, chemical incident, 
pandemic (e.g. Covid-19), or deliberate 
incidents such as terrorist acts) which renders 
the ICO unable to utilise part or all of its 
resources and infrastructure (such as staff, 
buildings, IT systems etc) such that (Threat) the 
ICO is unable to deliver some, or in extreme 
cases all of its regulation services, (Impact) 
increasing public information rights risk for a 
period of time and resulting in a reduced 
achievement of the IRSP Goals over the longer 
period. 


06/04/20 R85 |Managing ICO Reputation: (C) Risk that Reputational Cautious All goals 3 
decisions are taken without giving due 
consideration to the strategic reputational 
impact on the ICO (T) such that action is not 
taken at the right time to proactively and 
effectively manage the reputation of the ICO 
(I) impacting upon the ICO’s ability to increase 
public trust and confidence, provide excellent 
public service and to demonstrate that it is an 
effective and knowledgeable regulator. 

7 130/06/17 R2 |S E enc Organisational Open 3 

( ikehol ( change and 
development 
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meee) ater Opportunity/risk description (opportunities 


shaded in blue) 

22/09/18 R26 |improving Productivity: (Cause) Risk that 
growth in the ICO’s investment in 
infrastructure, people and process resources 
(Threat) is not effectively utilised to reduce 
contradictory and duplication of efforts, 
minimise delivery gaps, exploit new business 
models and maximise best use of ICO 
resources such that (Impact) whilst the ICO 
grows it does not improve efficiency and 
productivity and is no better placed to achieve 
the ICO’s IRSP goals and corporate outcomes. 


27/09/18 R10  |Statutory Codes: (Cause) Risk that significantly 
complex and contentious subject matter (e.g. 
economic impact), alongside competing 
stakeholder audience expectations slows the 
drafting and implementation of Statutory 
Codes of Practice such that (Threat) the ICO is 
unable to deliver the Codes within required 
timescales and to the desired quality through 
the eyes of external stakeholders (Impact) 
impacting negatively on the ICO’s reputation 
and relevance as a regulator to deliver across 
all stakeholders, decreasing its public trust, 
influence and effectiveness. 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Strategic Target Target | Target 
shaded in blue) area Probability | Impact | Overall Probability | Impact | Overall 
priority Priority 


11 27/11/18 R61 _~—_‘|Litigation Resource: (Cause) Risk that multiple | Infrastructure Open 4 3 4 Same <> | Corporate 2 
or a single significant legal challenge or trend and resources 
emerges (Threat) diverting significant financial 
and non-financial resources into possibly 
lengthy legal disputes (Impact) impacting upon 
the ICO’s ability to legally defend itself which 
could have a domino effect on its decision 
making, its financial resilience, its reputation as 
an effective regulator and diluting its 
operational ability to achieve all of its IRSP 
goals. 


12 07/07/20 R88 |Future role of the ICO: (Cause) Government Organisational Open All goals 
led reviews of the role of the future data change and 
protection regulatory framework, and of the development 
ICO’s role, governance and remit (Threat) leads 
to organisational and stakeholder uncertainty 
(Impact) impeding the ability of the ICO to 
regulate with maximum efficiency and 
effectiveness, plan for the future and have 
clarity of its strategic objectives. 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Strategic Target Target 
shaded in blue) area Probability | Impact | Overall Probability Overall 
priority Priority 


13 01/04/17 R29 ___|Technology Relevant Regulator: (Cause) Staff recruitment, Averse 4 3 
Insufficient resources, knowledge, training and | retention and 
external engagement prevent the ICO from development 
(Threat) engaging with and effectively 
regulating emerging technology-based threats 
to information rights (Impact) such that is 
impeded in fully achieving all of its IRSP goals, 
in particular goal #6 and results in poor 
reputational perception of the ICO asa 
relevant regulator for cyber related privacy 
issues. 


14 08/03/19 R72  |SMOs: (Cause) Risk that the ICO does not Regulatory Open 1,2 3 4 Same <> | Corporate 2 3 
sufficiently recognise and act on the needs of guidance and 
small organisations such that the ICO (Threat) strategy 
does not provide SMOs with value for money 
relevant services resulting in (impact) low 
levels or awareness, poor trust and 
information rights practices from SMOs 
impacting upon the ICO’s delivery of the IRSP 
goals around increasing public trust and 
confidence, improving standards of practice 
and being an effective regulator. 
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Date raised Opportunity/risk description (opportunities 
shaded in blue) 
15 15/06/20 R87 
at risk our ability to protect UK’s public's 
interests. 
i 


Risk Appetite 
area 
International position: (Cause) The uncertain Reputational Cautious 

global context in which ICO operates (in 
particular the UK’s future global relationships 
with and outside the EU and implications of 
the Covid19 pandemic) lead to (threat) the ICO 
failing to develop and maintain effective 
international relationships or effectively 
deliver aspects of its domestic regulatory role, 
thereby reducing opportunities to develop 
global collaborative DP approaches on policy, 
tech and interoperability and (Impact) putting 


Organisational 
change and 
development 


Regulatory Cautious 
investigation and 

way; in particular in relation to the public intervention 
challenge to ICO regulatory decisions. 
Management Board and Executive Team 
capacity and resilience may not be sufficient to 
retain clarity of leadership and direction during 
a critical period of change to the regulatory 
landscape resulting in delay to the 
achievement of the IRSP goals and operational, 


regulatory and organisational priorities 


13/04/18 fails to deal with issues arising from 


Operation Cederberg in a timely and effective 
02/09/19 


Staff recruitment, Averse 
retention and 


development 


Organisational 
change and 
development 


Risk that there is inadequate oversight or 
planning of the ICO's business projects 
programme which may result in projects not 
delivered to time, to scope, or within budget 
threatening the achievement of a number of 
elements pertinent to the IRSP goals. 


01/04/18 
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Date raised Opportunity/risk description (opportunities 
shaded in blue) 

20 20/09/19 R25 {Failure to provide adequate support to ICO 

senior leaders results in failure to meet 

strategic goals and priorities 


21 01/10/18 R32 Į|ICO fails to comply with information rights law, 
in particular in relation to its own compliance 
with FOI, GDPR and DPA18 


22 15/09/18 R40 =|Opportunity to award grants to support 
independent, innovative research and 
solutions focused on privacy and data 
protection issues. Risk of those receiving funds 
failing to deliver agreed project. 


23 02/10/18 Inadequate physical security measures result 
in a security breach at an ICO office or a 
personnel security issue 


25 15/09/18 R20 |We fail to successfully make the case for the 
funding and resources required to deliver the 
scope of our duties under FOIA/elDAS and NIS 
and the Grant in Aid awarded is no sufficient 
to support the achievements of our stated 
priorities 

26 05/06/17 R28 Poor records management practice mean that 
it is difficult for staff to find (or be provided 
with) the relevant corporate information that 
allows them to do their job. 

27 27/09/18 R31 ‘|Failure to provide advice and guidance to staff 

jem on regulatory issues in a timely manner results 
in inconsistency of external advice 

28 30/06/17 R50 _—_‘{Legislation or its legal interpretation presents 

spe unanticipated challenges to the ICO 
operational model. 

29 20/09/19 R55 |The website functionality and user experience 

epee does not allow the ICO to communicate 
effectively 


30 11/04/19 R75 |Our understanding and regulation of the use of 
web and cross-device tracking for marketing 
purposes (a regulatory priority) does not keep 
pace with the use of those processes and 
technologies in the market meaning we cannot 
act as an effective regulator in this space and 
the public’s data and privacy rights are not 
protected as a result 


Staff recruitment, Averse 
retention and 
development 


24 01/04/18 R19 |Our DP Fees Service is not equipped to Infrastructure Open 
maximise ICO fee collection and resources 
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priority 


31 01/04/17 R56 ‘|The risk that day to day IT is not reliable or fit Infrastructure Open Same <> Not 2 4 
for purpose. and resources strategic 


32 13/07/18 R12 |We fail be the best employer we can be Staff recruitment,} Cautious Same € | Strategic 2 
attracting and retaining the very best talent retention, 
development, 
wellbeing and 
safety 
2 


08/01/19 We fail to manage high profile investigations in Regulatory Cautious 
the most efficient and effective way possible, | investigation and 
minimising the resultant impact of the intervention 
investigation 


01/04/18 R18 [Risks and opportunities are not managed Organisational Cautious 
adequately across the organisation leading to controls and 
inefficient or ineffective use of resources compliance 
during times of competing priorities such that 
it takes longer to achieve planned objectives 
that contribute to meetings all 6 of the IRSP 
goals. 


20/09/18 We fail to inspire continuous improvement Staff recruitment,| Cautious 
through common values and a high retention, 
performance culture development, 
wellbeing and 
safety 


36 20/09/18 Communication with individuals fails to inspire | Reputational Cautious Same <> | Strategic 
trust and confidence in how personal data is 
handled 


H 


01/10/18 We fail to promote awareness of the ICO as Reputational Cautious 
the information rights regulator, meaning 
stakeholders and the public do not access ICO 
services 
02/10/18 R59 |We fail to attract, develop and sustain a Staff recruitment,| Cautious 
workforce with sufficient capability retention, 
development, 
wellbeing and 
safety 
08/03/19 R79 That our communications activities are not Reputational Cautious 
aligned with our strategic priorities, leading to 
the failure to engage relevant audiences to 
positively influence our work as a regulator 


2 
2 
2 
2 
2 
2 
2 
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13/07/18 


20/12/18 
20/12/18 


11/04/19 


Opportunity/risk description (opportunities Risk Appetite |Risk appetite 
shaded in blue) area 


We fail to improve organisational compliance Regulatory Open 
across DP and FOI and are not seen as an guidance and 
effective regulator strategy 


Our thematic reports do not reach the right 
audience and fail to have meaningful impact 


Regulatory Open 
guidance and 
strategy 


Our regulation of surveillance technology, Regulatory Cautious 
including AFR, (a regulatory priority) falls investigation and 

behind developments in and use of that intervention 

technology across public and private sectors - 

with associated harm to the public. 

ICO staff fail to own and develop their 
individual capability and to maximise their 


personal contribution to our strategic goals 
and priorities. 


24/09/18 


01/04/18 


01/04/18 


We don't adequately identify information 
governance and security risks when 


Staff recruitment,| Cautious 
retention, 
development, 
wellbeing and 
safety 
implementing new projects, systems and 


Security Averse 
processes 


Continuous change, update and system Security Averse 
refreshes may introduce vulnerabilities to our 
IT systems. Introduction of new Ways of 
Working (WoW) increases the attack surface of 
the organisation due to additional device 
functionality and new working practices of our 
staff. 

We fail to adequately resource or make 
optimum use of intelligence to inform our 
operational and corporate decisions. 


44 01/04/18 R44 |That the ICO fails to take advantage of Reputational Cautious 
opportunities to communicate our key 
messages to the public, to stakeholders and to 
new audiences. 


08/01/19 Regulatory Cautious 
assessment 


IRSP Goals 


We fail to develop and maintain an expert and |Staff recruitment,| Cautious 
resilient workforce retention, 
development, 
wellbeing and 
safety 


Current Current | Current Strategic Target 
Probability | Impact | Overall Probability 
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R21 _|Cyber Security: (Cause) Risk that although the Security Averse Same <> | Corporate 

ICO is continuously vigilant with its cyber 

security controls that as the ICO’s profile 

increases and it innovates with new 

technology systems, (Threat) it becomes 

increasingly at risk of a security breach, either 

malicious or inadvertent from within the 

organisation or from external attacks by cyber- 

criminals. (Impact) This could result in many 

negative impacts, such as distress to 

individuals, legal, financial and serious 

reputational damage to the ICO, possible 

penetration and crippling of the ICO’s IT 

systems preventing it from delivering its 

regulatory functions and IRSP goals 
R86 ___|Political and Economic Environment: (Cause) Regulatory Open New Corporate 
Risk that the ICO doesn't have the plans or the | guidance and 
ability to respond to changes in the economic strategy 
climate, government policy or to government 
attitudes and reviews, meaning that the ICO 
doesn't (Threat) adapt and flex quickly enough 
or in the right way to meet changing 
stakeholder views and needs (Impact) 
preventing the achievement of the IRSP goal to 
be an effective and efficient regulator. 


Poor industrial relations may impair Organisational Open Same <> Not 

engagement between ICO management and its change and strategic 

workforce, leading to sub-optimum development 

productivity and reduced ability to deliver 

change. 

Policy guidance is not responsive to external Regulatory Open Up T Not 

developments and stakeholder needs. guidance and ial PT tee 
strategy 

Fail to communicate a clear corporate vision Organisational Open Same <> Not 

and narrative to staff to enable them to change and strategic 

understand the goals and priorities of the development 

office 


Cyber defences are not sufficiently robust Security Averse Down ļ% Not 
because the IT environment is not maintained strategic 
to the required standard, security and integrity 

- especially during a period when the ICO is 

moving its IT managed service contract away 

from Northgate to other suppliers and to 

increased in-house support. 
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He Opportunity/risk description (opportunities Risk appetite] IRSP Goals 


shaded in blue) 
01/04/17 Failure to comply with procurement, financial Legal Averse 
or contractual obligations (compliance) 


56 01/04/17 Strategic IT projects are not delivered to time, | Organisational Open 

cost or quality change and 

* Ways of working 

TICE 

*EDRM 

*Website 
28/11/19 If the ICO, in its role as a regulator, fails to Cautious 
deploy its powers in targeted, proportionate 
and effective way, there is a risk that our 
regulatory interventions will not achieve the 
change in behaviour needed to build public 
trust and confidence 


development 
23/05/19 Our understanding and regulation of the data -H 


Current 
Impact 


Current 
Probability 


Risk Appetite 
area 


Regulatory 
enforcement 


Regulatory 
assessment 


and privacy rights are not protected as a result 


Regulatory 
guidance and 
strategy 


broking market does not keep pace with 


developments in the market (a regulatory 
Anti-fraud and Averse 
financial controls 


priority) meaning we cannot act as an effective 
regulator in this space and the public’s data 

Infrastructure Open 
and resources 


59 22/07/19 R80 |Our understanding of the way political parties 
and campaigns are using personal data in 
modern campaigning techniques (a regulatory 
priority) fails to keep pace with technological 
developments in this area meaning we can't 
act as an effective regulator in this space, 
which has an impact on citizens privacy rights 
and our democratic system 


01/04/18 R51 |Loss of resources as a result of fraud or 
misappropriation of funds 


61 05/05/17 R52 |That we do not have sufficient space to 
accommodate our expanding workforce. 


62 01/04/18 R53 Incorrect or misstated financial information 
leads to poor decision support 


Anti-fraud and Averse 
financial controls 


Current 
Overall 
priority 
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22/09/18 
01/04/18 
12/06/19 


R79 |We fail to be an effective and knowledgeable 
regulator for Al, big data and automated 
decision-making involving personal data (a 
regulatory priority), both in terms of how we 
regulate Al and how we use Al 
20/12/18 
R76 


Opportunity/risk description (opportunities 
shaded in blue) 


(ep) 
Ww 


(o>) 
N 


Opportunity for staff to positively engage with 
stakeholders through responsible use of social 
media 


Oo 
J> 


We fail to recognise and keep up to date with 
changes in expectations re the way our 
stakeholders engage with us. In particular the 


to a reduced audience for our key messages. 


oO) 
uw 


That the ICO does not deliver its regulatory 
obligations and ambitions in relation to 
children's privacy (a regulatory priority) 

The Information Commissioner's regulatory 
powers are improperly delegated or exercised, 
causing the ICO to act ultra vires and being 
open to legal challenge. 

Our regulation of cyber-security (a regulatory 
priority) fails to be effective (i) as we build our 
capacity and capability and (ii) as advances in 
technology and new and emerging threats 
increase in complexity. 

Compensation: (Cause) The ICO is unable to 
award compensation to complainants unlike 
other ombudsman services. As a consequence, 
(Threat) consumers go to an ombudsman 


We fail to deliver a new FOI strategy which is 
ambitious and meeting the needs of external 

22/05/19 
14/01/19 


stakeholders, complainants and the public 
11/04/19 


y 
oO 


14/09/20 


scheme where compensation can be awarded, 
(impact) so the ICO is not seen as a relevant 
regulator and fails to capture data about these 
breaches. 


use of social and other media channels, leading 


Reputational 
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